WHAT IS CLAIMED IS: 



1 LA method for encrypted data storage in a storage system: 

2 converting encrypted blocks of data to produce corresponding converted 

3 blocks of data, wherein an encrypted block of data is encrypted with first cryptographic 

4 criteria, wherein a converted block of data is encrypted with second cryptographic criteria; 

5 receiving a read request during said step of converting in order to access read 

6 data from said storage system and in response thereto accessing said read data from at least 

7 one decrypted block of data, wherein if said read data is stored in an encrypted block of data, 

8 then decrypting it using said first cryptographic criteria to produce said at least one decrypted 

9 block of data, wherein if said read data is stored in a converted block of data, then decrypting 

10 it using said second cryptographic criteria to produce said at least one decrypted block of 

1 1 data; and 

12 receiving a write request during said step of converting in order to store write 

13 data to said storage system and in response thereto writing at least a first block of data to said 

14 storage system, said first block of data comprising data to be written, wherein if said first 

15 block of data is targeted to an encrypted block of data, then encrypting at least some of it 

16 using said first cryptographic criteria to produce said first block of data, wherein if said first 

17 block of data is targeted to a converted block of data, then encrypting at least some of it using 

1 8 said second cryptographic criteria to produce said first block of data. 

1 2. The method of claim 1 wherein said step of converting comprises a 

2 step of replacing each encrypted block of data by its corresponding converted block of data. 

1 3. The method of claim 1 wherein some of said steps of encrypting and 

2 decrypting comprise executing computer program code on a data processing component. 

1 4, The method of claim 3 fiirther comprising accessing at least one of said 

2 encryption and decryption criteria over a commimication network. 

1 5. The method of claim 1 wherein some of said steps of encrypting and 

2 decrypting are performed on logic circuitry configured to perform cryptographic operations. 

1 6. The method of claim 1 wherein said read request is a file«level read 

2 request and said step of accessing said read data includes producing one or more block-level 

3 read requests based on said file-level read request. 
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1 7. The method of claim 6 wherein said write request is a file-level write 

2 request and said step of writing at least a first block of data includes producing one or more 

3 block-level write requests based on said file-level write request. 

1 8. The method of claim 7 wherein said file-level read request and said 

2 file-level write request are received firom a host device. 

1 9. A method for storing encrypted data on a storage system comprising: 

2 converting first data blocks of said storage system to produce corresponding 

3 second data blocks, including encrypting said first data blocks to produce said second data 

4 blocks and replacing each first data block with its corresponding second data block; and 

5 accessing read data firom said storage device in response to a read request, 

6 including accessing a third data block and decrypting said third data block if said third data 

7 block is one of said second data blocks, to produce a decrypted data block so that said read 

8 data can be read therefi-om, 

9 wherein said step of accessing read data is performed during said step of 
10 converting so that said converting does not prevent read access to said storage system. 

1 10. The method of claim 9 further comprising storing a fourth data block 

2 to said storage device in response to a write request, said fourth data block comprising data to 

3 be written, said step of storing including encrypting said fourth data block if it is to be written 

4 to one of said second data blocks, wherein said step of storing is performed during said step 

5 of converting so that said converting does not prevent write access to said storage system. 

1 11. The method of claim 9 wherein said first data blocks are not encrypted. 

1 12. The method of claim 9 wherein said first data blocks are encrypted 

2 with first encryption criteria and said second data blocks are encrypted with second 

3 encryption criteria, the method fiirther comprising, prior to said step of encrypting first data 

4 blocks, a step of appljdng first decryption criteria to said first data blocks to decrypt said first 

5 data blocks. 

1 13. The method of claim 12 wherein said step of decrypting said third data 

2 block includes applying first decryption criteria to said third data block if said third data 

3 block belongs to one of said first data blocks and applying second decryption criteria to said 
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4 third data block if said third data block belongs to one of said second data blocks, to produce 

5 said decrypted data block. 

1 14. The method of claim 13 further comprising storing a fourth data block 

2 to said storage device in response to a write request, said fourth data block comprising data to 

3 be written, said step of storing comprising: 

4 encrypting said fourth data block with said first encryption criteria if it is to be 

5 written to one of said first data blocks; and 

6 encrypting said fourth data block with said second encryption criteria if it is to 

7 be written to one of said second data blocks, 

8 wherein said step of storing is performed during said step of converting so that 

9 said converting does not prevent write access to said storage system. 

1 15. A storage system comprising: 

2 a storage component; and 

3 a cryptographic component in data communication with said storage 

4 component and operable to convert unconverted blocks of data stored thereon to produce 

5 corresponding converted blocks of data, each converted block of data replacing its 

6 corresponding unconverted block of data on said storage component and in the same location 

7 as its corresponding unconverted block, 

8 wherein said cryptographic component is further operable to receive read and 

9 write requests for data stored on said storage component, while unconverted blocks of data 

10 are converted to converted blocks of data, 

1 1 wherein said cryptographic component is further operable to process a read 

12 request by accessing read blocks associated with said read request firom said storage 

13 component, wherein if a read block is unconverted, then performing a first cryptographic 

14 process on said read block to produce an unencrypted read block, wherein if said read block 

15 is converted, then performing a second cryptographic process on said read block to produce 

1 6 said unencrypted read block, 

17 wherein said cryptographic component is further operable to process a write 

1 8 request by writing one or more write blocks associated with said write request from said 

19 storage component, wherein if a write block is to be written to a block location that contains 

20 an unconverted block, then performing said first crj^tographic process on said write block 

21 prior to writing said write block, wherein if a write block is to be written to a block location 
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22 that contains a converted block, then performing said second cryptographic process on said 

23 write block prior to writing said write block. 

1 16. The storage apparatus of claim 15 further comprising a file system 

2 component configured to receive file-level read and write requests from one or more host 

3 devices, to produce said read and write requests based on said file-level read and write 

4 requests, and to communicate said read and write requests to said cryptographic component. 

1 17. The storage apparatus of claim 15 wherein said storage component 

2 comprises an I/O interface and said cryptographic component comprises a first I/O interface 

3 and a second I/O interface, wherein said first I/O interface is configured for communication 

4 with a host device, wherein said second I/O interface is in data communication with said I/O 

5 interface of said storage component. 

1 18. The storage apparatus of claim 15 wherein said cryptographic 

2 component comprises one or more encryption engines. 

1 19. The storage apparatus of claim 15 wherein said cryptographic 

2 component is further operable to obtain criteria which specify said second cryptographic 

3 process prior to converting unconverted blocks of data to converted blocks of data. 

1 20. The storage process of claim 15 wherein said first cryptographic 

2 process is a NULL process. 

1 21 . A method for storing and accessing data on a storage system 

2 comprising: 

3 receiving from a host device file-level I/O requests; 

4 converting blocks of data stored in said storage system, including for each 

5 block of data: 

6 performing a first decryption of said block of data to produce an 

7 unencrypted block of data, said block of data being encrypted by a first encryption; 

8 performing a second encryption of said unencrypted block of data to 

9 produce an encrypted block of data; and 

10 overwriting said block of data; 

1 1 during said converting, receiving and servicing a file-level read request; and 

12 during said converting, receiving and servicing a file-level write request, 
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13 wherein servicing said file-level read request comprises: 

14 producing one or more block-level read operations; and 

15 decrypting a corresponding block of said block-level read operation 

16 with either said first or second decryption depending on how it was encrypted, 

17 wherein servicing said file-level write request comprises: 

1 8 producing one or more block-level write operations; 

1 9 encrypting a corresponding block of data of said block-level vmte 

20 operation with said first encryption, if it is targeted to a block location in said storage 

21 system containing data that was encrypted with said first encryption; and 

22 encrypting said corresponding block of data of said block-level write 

23 operation with said second encryption, if it is targeted to a block location in said 

24 storage system containing data that was encrypted with said second encryption. 

1 22. The method of claim 21 wherein some of said steps of encrypting and 

2 decrypting comprise executing computer program code on a data processing component. 

1 23. The method of claim 22 fiirther comprising accessing at least one of 

2 said encryption and decryption criteria over a communication network. 

1 24. The method of claim 21 wherein some of said steps of encrypting and 

2 decrypting are performed on logic circuitry configured to perform cryptographic operations. 

1 25. The method of claim 21 wherein said blocks of data are converted in 

2 sequential order as they are stored in said storage system. 

1 26. The method of claim 21 further comprising receiving information 

2 identifying a list of blocks to be converted. 



17 



